add proxy config

2026-03-01 09:22:05 +07:00 · 2026-03-01 09:22:05 +07:00 · 7e96bea32a
commit 7e96bea32a
parent ed86cd0917
3 changed files with 52 additions and 10 deletions
--- a/modules/system/homelab/proxy.nix
+++ b/modules/system/homelab/proxy.nix
@ -0,0 +1,40 @@
+{ homelab, ... }: let
+  base = "proxy.${homelab.domain}";
+  proxyMappings = {
+    "dns"     = { dest = "http://localhost:8088"; auth = true; };
+  };
+in {
+  users.users.nginx.extraGroups = [ "acme" ];
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${homelab.domain}";
+    certs."${base}" = {
+      domain = "*.${base}";
+      extraDomainNames = [ base ];
+      dnsProvider = "cloudflare";
+      environmentFile = "/var/lib/acme/cloudflare.env";
+      # ^^^contents: CLOUDFLARE_DNS_API_TOKEN=XXXXX
+    };
+  };
+  
+  services.nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      virtualHosts = builtins.mapAttrs (subdomain: cfg: {
+        forceSSL = true;
+        useACMEHost = base;
+        
+        locations."/" = {
+          proxyPass = cfg.dest;
+          proxyWebsockets = true;
+          basicAuthFile = if cfg.auth then "/var/lib/nginx/.htpasswd" else null;
+          extraConfig = ''
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+          '';
+        };
+      }) proxyMappings;
+    };
+}